We often recommend WordPress as a Content Management System (CMS) to our clients because it is free, user-friendly, and provides an enormous amount of functionality right out of the box. As a developer and long-time user I can also attest to the fact that WordPress has a great community built around it’s software and well-written documentation for all users. Overall, WordPress is well-liked by its users and developers, but like all popular technology there are some caveats that everyone should be aware of.
Due to the popularity of WordPress (it is currently the most popular blogging system in use on the web – powering over 60 million websites worldwide), hackers have found it significant enough to disrupt and cause havoc. Recently, a problem that has come to the attention mostly among web hosting companies and WordPress developers are “brute-force attacks”, and illegal “botnets” that infect WordPress websites.
In layman’s terms, these illegal botnets are networks of zombie-like computers that have been infected by a program with the sole purpose of passing it on to other WordPress websites. This happens by way of a “brute-force attack” – or the program trying a huge library of passwords in order to break into a WordPress administrative area. If the program gains access to the administrative area, the website becomes open to a whole host of malicious code injections, essentially knocking the website offline. Fortunately, a knowledgeable developer can be proactive about these security threats and take steps to prevent botnets from entering your website or blog:
1. Choose difficult usernames and passwords for all users of your WordPress site. Passwords should contain special characters and alternate case-letters. Additionally, usernames should not be generic like: “Admin” – which is a very popular choice when creating the most privileged user on a WordPress website – the Administrator. For password management, I highly recommend using a tool called 1Password that will create strong, unique passwords for you, remember them, and restore them all directly in your web browser.
2. Keep WordPress plugins up to date. This is essential to maintaining a healthy WordPress site. You may also want to install plugins like Login Lockdown which helps prevent the brute-force attacks by limiting the amount of failed login attempts.
3. Backup your WordPress Website! This is a given and while it will not save you from these attacks, it can be very useful in case anything should happen to your WordPress website. Liqui-Site recommends Backup Buddy to backup, restore, and if needed – migrate a WordPress site to another domain or server.
4. Have a WordPress developer make additional security refinements to the WordPress core files. Additional steps can be taken on the server to protect the administrative areas of a site. Learn about our content management system solutions – including WordPress – that are cost-effective, scalable and easy to use for any business.